b'\x0c\x0c\x0c                                  IMPROVEMENTS TO THE GSA PRIVACY ACT\n                                   PROGRAM ARE NEEDED TO ENSURE THAT\n                                  PERSONALLY IDENTIFIABLE INFORMATION\n                                      (PII) IS ADEQUATELY PROTECTED\n                                     REPORT NUMBER A060228/O/T/F08007\n\n                                                      TABLE OF CONTENTS\n                                                                                                                                          PAGE\n\nEXECUTIVE SUMMARY ............................................................................................................. i\n  Purpose......................................................................................................................................... i\n  Background ................................................................................................................................. ii\n  Results-in-Brief ........................................................................................................................... ii\n  Recommendations ...................................................................................................................... iii\n  Management Comments ............................................................................................................ iv\nINTRODUCTION .......................................................................................................................... 1\n  Objectives, Scope, and Methodology ......................................................................................... 2\nRESULTS OF AUDIT.................................................................................................................... 4\n  GSA\xe2\x80\x99s Privacy Act Program Has Not Yet Established Needed Safeguards .............................. 4\n        Improved Management Controls Are Needed to Guide the Agency\xe2\x80\x99s Privacy Act\n        Program .................................................................................................................. 5\n        Privacy Policies and Procedures Have Not Fully Considered PII Maintained Outside of\n        Major IT Systems that Collect and Store PII.......................................................... 7\n        Appropriate Privacy-Related Clauses Are Needed in All IT Contracts ................. 8\n        Role-Based Training Is Necessary to Clarify Privacy Responsibilities ................. 8\n  System Vulnerability Tests Revealed Weaknesses in Configuration and Patch Management .. 9\n        System Configuration Settings Improvements Are Needed ................................... 9\n        Timely Patch Management Could Reduce Security Vulnerabilities ...................... 10\n  Implementing Specific Controls for PII Requires Additional Actions ..................................... 10\n  Conclusion ................................................................................................................................ 12\n  Recommendations ..................................................................................................................... 13\n  Management Comments ........................................................................................................... 13\n  Internal Controls ....................................................................................................................... 14\n\n                                                              APPENDICES\n\nAppendix A \xe2\x80\x93 GSA Data Collection Instrument ........................................................................ A-1\nAppendix B \xe2\x80\x93 Timeline of GSA Activities Related to Privacy Controls ................................... B-1\nAppendix C \xe2\x80\x93Vulnerability Scanning Results ............................................................................ C-1\nAppendix D \xe2\x80\x93 CHCO/CIO Consolidated Response to Draft Report .......................................... D-1\nAppendix E \xe2\x80\x93 Report Distribution ............................................................................................... E-1\n\x0c                       IMPROVEMENTS TO THE GSA PRIVACY ACT\n                        PROGRAM ARE NEEDED TO ENSURE THAT\n                       PERSONALLY IDENTIFIABLE INFORMATION\n                           (PII) IS ADEQUATELY PROTECTED\n                          REPORT NUMBER A060228/O/T/F08007\n\n                                   EXECUTIVE SUMMARY\n\nPurpose\n\nThe General Services Administration\xe2\x80\x99s (GSA) Chief Human Capital Officer (CHCO) has\nprimary responsibility for the Agency\xe2\x80\x99s Privacy Act Program, including development and\nimplementation of privacy data protection policies. The GSA Privacy Act Program is intended\nto ensure that the Agency fulfills the requirements of the Privacy Act of 1974, which was\nenacted to balance a person\'s right to privacy with the Federal Government\'s need for\ninformation to carry out its responsibilities. All Federal agencies are required to establish and\nimplement comprehensive privacy and data protection procedures governing the collection, use,\nsharing, disclosure, transfer, storage, and security of information in an identifiable form relating\nto the Agency\xe2\x80\x99s employees and the public. The objective of our audit of the Agency\xe2\x80\x99s Privacy\nAct Program was to determine if GSA: (1) manages sensitive personal information pursuant to\nlegal and regulatory requirements, including e-Government provisions for privacy controls; (2)\nhas implemented technical, managerial, and operational privacy-related controls to effectively\nmitigate risks inherent to Privacy Act systems of records; and (3) has established procedures and\nautomated mechanisms to verify control efficacy. If not, what additional measures are needed to\nimprove protection of such sensitive data at GSA?\n\nThe E-Government Act of 2002 addresses privacy protections when citizens interact with the\nFederal government and was enacted to improve the methods by which government information,\nincluding information on the Internet, is organized, preserved, and made accessible to the public.\nGuidance on implementing the E-Government Act of 2002 directs agencies to conduct reviews\nof how information about individuals is handled within their agency when they use information\ntechnology (IT) to collect new information, or when agencies develop or buy new IT systems to\nhandle collections of personally identifiable information (PII). Agencies are also directed to\ndescribe how the government handles information that individuals provide electronically, so that\nthe American public has assurances that personal information is protected. With the\nimplementation of the E-Government Act of 2002, agencies are now required to: (1) inform and\neducate employees and contractors of their responsibility for protecting information in\nidentifiable form; (2) identify those individuals in the agency that have day-to-day responsibility\nfor implementing section 208 of the E-Government Act, the Privacy Act, or other privacy laws\nand policies; (3) designate an appropriate senior official or officials to serve as the agency\xe2\x80\x99s\nprincipal contact(s) for information technology/web matters and for privacy policies and\ncoordinate implementation of Office of Management and Budget (OMB) web and privacy policy\nand guidance; and (4) designate an appropriate official (or officials, as appropriate) to serve as\nthe \xe2\x80\x9creviewing official(s)\xe2\x80\x9d for agency Privacy Impact Assessments (PIAs). Additional controls\nfor electronic files, including those that may contain PII are required to manage increasing risks\nin this area.\n\n\n\n                                                 i\n\x0cTo improve safeguards for sensitive information maintained across Federal agencies, OMB\nissued memorandum M-06-16, Protection of Sensitive Agency Information, on June 23, 2006.\nThe memorandum stresses that Federal agencies need to take all necessary/reasonable measures\nto swiftly eliminate significant vulnerabilities to the sensitive information entrusted to them. It\nrequires agencies to take certain actions to ensure that safeguards are in place and appropriately\nreviewed within 45 days (August 7, 2006) from the issuance of the memorandum. In August\n2006, the President\xe2\x80\x99s Council on Integrity and Efficiency (PCIE)/ Executive Council on Integrity\nand Efficiency (ECIE) provided a review guide and Data Collection Instrument (DCI) to the\nInspectors General (IG) community for use in assessing compliance with OMB requirements for\nsecuring sensitive data as identified in M-06-16. We assessed GSA\xe2\x80\x99s compliance with OMB M-\n06-16 as part of this review, and the completed DCI previously provided to the PCIE and the\nCHCO is included in Appendix A 1 .\n\nBackground\n\nOMB defines PII as \xe2\x80\x9cinformation which can be used to distinguish or trace an individual\'s\nidentity, such as their name, social security number, biometric records, etc. alone, or when\ncombined with other personal or identifying information which is linked or linkable to a specific\nindividual, such as date and place of birth, mother\xe2\x80\x99s maiden name, etc. 2 \xe2\x80\x9d Management activities\nstress that privacy protection is both a personal and fundamental right of individuals, including\nGSA Associates, clients, and members of the public, when personal information is collected,\nmaintained, and used by GSA organizations to carry out its responsibilities and provide services.\nAlso, OMB emphasized the need for better protection of PII in OMB Memorandum M-06-16,\nissued in June 2006, and OMB Memorandum M-07-16, Safeguarding Against and Responding to\nthe Breach of Personally Identifiable Information, issued in May 2007. Memorandum M-06-16\nstresses the importance of an agency\xe2\x80\x99s baseline of privacy activities and requires that agencies\nproperly safeguard their assets while using information technology. The memorandum requires\nagencies to review their privacy controls against a checklist for protection of remote information\nand implement additional controls aimed at increased protection of portable devices.\nAdditionally, Memorandum M-07-16 requires that agencies develop and implement a breach\nnotification policy to reduce the risks related to a potential loss of PII or a data breach. The use\nof social security numbers (SSNs) in agency systems and programs must also be carefully\nreconsidered to identify instances in which collection or use of PII is superfluous. Appendix B\nprovides a timeline of major milestones related to specific controls required for the protection of\nPII.\n\nResults-in-Brief\n\nAs the GSA Senior Agency Official for Privacy, the CHCO is responsible for establishing and\noverseeing the Agency\xe2\x80\x99s Privacy Act Program and for ensuring compliance with privacy laws,\nregulations and related Agency policy. With issuance of a benchmark report, the CHCO has\n\n1\n  Due to sensitive information included in Appendix A, this information is provided only to the Offices of the\nCHCO and Chief Information Officer.\n2\n  OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable\nInformation, issued May 2007.\n\n\n                                                         ii\n\x0chighlighted GSA\xe2\x80\x99s use of information in an identifiable form, identified the Agency\xe2\x80\x99s privacy\nand data protection policies and procedures, and required the use of certain technical controls to\nprotect PII. The Office of the CHCO (OCHCO) has worked with the GSA Chief Information\nOfficer (CIO), who manages the Agency\xe2\x80\x99s Information Technology (IT) Security Program, to\nissue a joint instructional letter which introduces Agency-specific policy and direction for\nprotecting PII in GSA IT systems, including associated records of that information, such as\nprinted paper documents or other storage media. GSA also recognizes the need to eliminate\nunnecessary use of social security numbers in IT systems. However, while improvements have\nbeen made to the GSA Privacy Act Program, key components are not yet in place to ensure that\nPII is adequately protected from inappropriate access or modification. The Privacy Act Program\nhas not yet ensured that all required privacy controls are in place and operating effectively and\nthat GSA Associates and contractors are fully aware of key roles, responsibilities, and\naccountability for protecting PII across GSA\xe2\x80\x99s IT infrastructure.           Improved management\ncontrols are needed to guide GSA\xe2\x80\x99s Privacy Act Program, including a comprehensive assessment\nof the adequacy of existing controls. Additionally, GSA needs to ensure that all IT support\ncontracts include the appropriate privacy related clauses to ensure that contractors are aware of\nrestrictions on Privacy Act data and their responsibilities for protecting PII. While the OCHCO\nhas provided basic privacy awareness training to the majority of GSA Associates and\ncontractors, role-based privacy training is needed for GSA Associates and contractors who are\nresponsible for the protection of PII. Further, vulnerability scans performed on a sample of\nGSA\xe2\x80\x99s major IT systems that collect and store PII revealed that software security patches have\nnot been consistently and promptly applied, leaving these systems vulnerable to known security\nweaknesses. In response to evolving requirements aimed at improving the protection of PII,\nincluding remote access to and transportation and storage of PII, GSA has taken steps to better\nprotect PII; however, further action is needed to ensure that shared goals for preventing,\ndetecting, and/or recovering from a PII security breach are established and achieved to manage\nescalating risks in this area.\n\nRecommendations\n\nTo better manage risks of unauthorized or unintentional disclosure of personally identifiable\ninformation (PII), we recommend that the Chief Human Capital Officer:\n\n   (1) Develop an implementation plan for the Privacy Act Program which identifies key roles,\n       responsibilities, milestones, and management performance measures to achieve long-term\n       improvement goals.\n   (2) Work closely with the Chief Information Officer to establish collaborative agency-wide\n       procedures to:\n           (a)    Ensure that the Privacy Act Program is integrated with the Agency\xe2\x80\x99s security\n                  program and assesses risk with and identifies controls for all PII, including PII\n                  residing outside of major IT systems.\n           (b)    Periodically assess the need for and potential uses of automated content\n                  management and data leakage tools or other procedures to assist in identifying\n                  and protecting PII within GSA\xe2\x80\x99s IT and system environment.\n\n\n\n\n                                               iii\n\x0c           (c)     Confirm that required security hardening guides are being followed and that\n                   vulnerabilities are promptly recorded and mitigated for major IT systems that\n                   collect and store PII.\n           (d)     Implement remaining privacy controls required by M-06-16, including\n                   encryption and two-factor authentication for systems maintaining PII.\n           (e)     Develop a plan that includes the key activities, milestones, and performance\n                   measures necessary to guide GSA in discontinuing the collection and storage\n                   of social security numbers in IT systems where no longer required.\n   (3) Work with the Office of the Chief Acquisition Officer to review contracts in support of\n       major IT systems that collect and store PII to ensure that the appropriate privacy clauses\n       have been included and that contractors supporting GSA\xe2\x80\x99s IT systems that collect and\n       store PII are aware of and fulfill their roles and responsibilities for protecting GSA\xe2\x80\x99s PII.\n   (4) Complete development and implementation of role-based training for GSA Associates\n       and contractors who are responsible for protecting sensitive information, including PII.\n\nManagement Comments\n\nThe CHCO and CIO provided consolidated management comments on March 28, 2008 on\nspecific audit findings and recommendations in response to our draft report. The comments\nindicate a general concurrence with our audit findings and recommendations, and a copy of the\ncomments is included as Appendix D. The CHCO and the CIO agreed with our recommendation\nto develop an implementation plan for the Privacy Act Program which identifies key roles,\nresponsibilities, milestones, and management performance measures to achieve long-term\nimprovement goals. Management also acknowledged the need to do more to protect PII and\nidentified planned actions to meet audit recommendations.      Management comments indicate\nthat the CHCO will work closer with the OCIO to ensure that hardening guides are being\nappropriately applied and that the CHCO is working with the Office of Procurement\nManagement Review, Office of Acquisition Integrity to randomly audit Privacy Act systems to\nensure that the proper FAR clauses are included. In response to our recommendation to\nimplement remaining privacy controls required by OMB Memorandum M-06-16, management\ncomments provided additional information on the status of two of the three remaining\nrequirements. The response also stated that GSA was unaware of a technical means to log all\ncomputer-readable data extracts from databases holding sensitive information and verify that\neach extract including sensitive data has been erased within 90 days or its use is still required.\nWhile management comments explained that some manual processes are being used in a limited\ncapacity to support this requirement, we reaffirm the importance of determining an automated\nmethod to implement this control.\n\nManagement comments highlight activities recently completed and planned related to our\nrecommendation to develop a plan that includes key activities, milestones, and performance\nmeasures necessary to guide GSA is discontinuing the collection and storage of SSNs in IT\nsystems where no longer required. In response to our recommendation to complete development\nand implementation of role-based training for GSA Associates and contractors responsible for\nprotecting sensitive information, including PII, management comments discuss goals to begin\nrole-based training and highlight a 95% completion rate of the Privacy Awareness training over\nthe past year. Management comments in response to our recommendation to assess the need for\n\n\n\n                                                iv\n\x0cand potential uses of automated content management and data leakage tools or other procedures\nto assist in identifying and protecting PII within GSA\xe2\x80\x99s IT and system environment explain that\nthe OCIO is currently evaluating data leakage prevention tools to assist in identifying and\nprotecting PII within GSA\xe2\x80\x99s IT and system environment. While evaluating automated content\nand data leakage tools is a first step toward better protecting PII stored outside of IT systems that\nmaintain Privacy Act data, our audit found that the Privacy Act Program has not yet ensured that\nPII stored on laptops and servers or in databases or applications that are not considered part of a\nmajor IT system is identified and protected as needed. Over the past year we identified\nnumerous instances where PII stored outside of major IT systems was placed at undue risk.\nTherefore, we reaffirm the need to better ensure that all PII in GSA\xe2\x80\x99s IT systems environment be\nidentified and properly protected from unauthorized access, modification, and disclosure.\n\n\n\n\n                                                 v\n\x0c                         IMPROVEMENTS TO THE GSA PRIVACY ACT\n                          PROGRAM ARE NEEDED TO ENSURE THAT\n                         PERSONALLY IDENTIFIABLE INFORMATION\n                             (PII) IS ADEQUATELY PROTECTED\n                            REPORT NUMBER A060228/O/T/F08007\n\n                                           INTRODUCTION\n\nThe Office of Management and Budget (OMB) has defined personally identifiable information\n(PII) as \xe2\x80\x9cinformation which can be used to distinguish or trace an individual\'s identity, such as\ntheir name, social security number, biometric records, etc. alone, or when combined with other\npersonal or identifying information which is linked or linkable to a specific individual, such as\ndate and place of birth, mother\xe2\x80\x99s maiden name, etc.\xe2\x80\x9d Information systems containing PII can be\neither electronic or manual. Various laws and regulations address the need to protect sensitive\ninformation held by government agencies, specifically the Privacy Act of 1974 (and revisions),\nthe E-Government Act of 2002 [including the Federal Information Security Management Act\n(FISMA)], and related OMB circulars and memoranda.\n\nIn January 2003, the General Services Administration (GSA) Office of Inspector General (OIG)\nInformation Technology (IT) Audit Office issued a report 3 on controls for the General Services\nAdministration\xe2\x80\x99s (GSA) privacy data. At that time, we found that: (1) controls for GSA\xe2\x80\x99s\nsensitive data needed to be more robust to adequately address risks in an automated business\nenvironment; (2) roles and responsibilities for protecting Privacy Act data from unauthorized\ndisclosure may not have been effectively communicated; (3) online security training required for\nGSA Associates and contractors in 2002 did not cover Privacy Act requirements or restrictions\non unauthorized disclosures of personal information entrusted to those who work with sensitive\nfiles; (4) GSA IT service contracts did not state the need to protect Privacy Act data and failed to\nspecify restrictions or penalties for unauthorized disclosures; (5) periodic review of web server\ncontent would strengthen controls to prevent improper disclosure of Privacy Act data on GSA\nweb servers located outside the firewall, as well as those accessible within GSA; and (6) the list\nof Systems of Records was not up-to-date and comprehensive. We recommended that the Chief\nPeople Officer (CPO) 4 work closely with the Chief Information Officer (CIO) to improve the\nmanagement of GSA\xe2\x80\x99s Privacy Act data by: (1) coordinating with the Office of Acquisition\nPolicy to ensure that appropriate Privacy Act requirement clauses are included in IT support\ncontracts utilized by GSA and that roles and responsibilities for the protection of sensitive data\nare made explicit for contractors entrusted with such data, (2) updating GSA\xe2\x80\x99s Systems of\nRecords list, and (3) ensuring that accountability and responsibility is assigned for identifying\nand implementing specific controls for each of GSA\xe2\x80\x99s Systems of Records.\n\nIn January 2006 5 , we completed an implementation review of management actions taken on the\nthree recommendations in the 2003 audit report. We found that management had taken actions\nin accordance with the time-phased action plan provided in response to our 2003 report;\n\n3\n  Review of Controls for GSA\xe2\x80\x99s Privacy Act Data, Report Number A020256/O/T/F03005, dated January 6, 2003.\n4\n  The GSA CPO was officially renamed the Chief Human Capital Officer (CHCO) in October 2006.\n5\n  Implementation Review of Controls for GSA\xe2\x80\x99s Privacy Act Data, Report Number A020256/O/T/F03005, dated\nJanuary 6, 2003, Assignment Number A060045, dated January 18, 2006.\n\n\n                                                     1\n\x0chowever, conditions raised in the initial report remained. Contracts for two of the three systems\nwe reviewed did not include appropriate Federal Acquisition Regulation (FAR) clauses for\nPrivacy Act systems, and GSA\xe2\x80\x99s list of Privacy Act systems, maintained by the Office of the\nChief Human Capital Officer (OCHCO), was still not complete. Further, clear roles and\nresponsibilities for GSA Associates and contractors were not yet established across GSA, and\ntraining had not been provided to ensure that responsible individuals were aware of requirements\nfor protecting GSA Privacy Act data.\n\nObjectives, Scope, and Methodology\n\nThe objective of our review of the Agency\xe2\x80\x99s Privacy Act Program was to determine if GSA: (1)\nmanages sensitive personal information pursuant to legal and regulatory requirements, including\ne-Government provisions for privacy controls; (2) has implemented technical, managerial, and\noperational privacy-related controls to effectively mitigate risks inherent to Privacy Act Systems\nof Records; and (3) has established procedures and automated mechanisms to verify control\nefficacy. If not, what additional measures are needed to improve protection of sensitive data?\nWe gathered information related to actions that GSA has taken to protect PII prior to and in\nresponse to OMB Memorandum M-06-16 and considered recently developed Agency policy\nregarding the protection of sensitive information. We considered the Agency\xe2\x80\x99s mandatory on-\nline privacy training, information disseminated through the Privacy Act Program internal and\nexternal websites, and an Information Paper on the actions taken by GSA to meet the\nrequirements of M-06-16. We also reviewed a GSA report responding to OMB Memorandum\nM-06-20 and Section 522 of the Transportation, Treasury, Independent Agencies, and General\nGovernment Appropriations Act, 2005. We interviewed appropriate staff from GSA\xe2\x80\x99s OCHCO\nand OCIO with key responsibilities for ensuring the protection of PII. We also provided input\nbased on the audit work completed during this review for the OIG response to privacy questions\nas part of its annual reporting on FISMA for fiscal year (FY) 2007 6 .\n\nDuring audit survey, we reviewed security documentation for seven major IT systems that collect\nand store PII, including analyzing the security plans for GSAJobs, the Excluded Parties List\nSystem (EPLS), the System for Tracking and Administering Real-Property (STAR), and the EDS\ne-Travel System (EDS), and the risk assessments for the STAR, FedBizOps (FBO), the Carlson\nWagonlit e-Travel System (CWGT), and the Northrup Grumman Mission System e-Travel\nSystem (NGMS) against the National Institute of Standards and Technology (NIST) Guide for\nDeveloping Security Plans for Information Technology Systems, Special Publication (SP) 800-\n18 and the NIST Risk Management Guide for Information Technology Systems SP 800-30,\nrespectively. We also reviewed Privacy Impact Assessments for FBO, the Federal Procurement\nData System \xe2\x80\x93 Next Generation (FPDS-NG) and STAR for adequacy. During audit fieldwork,\nwe interviewed system security officials, examined system privacy and security documentation,\nand used commercially available tools and agreed upon procedures to complete network security\nscanning and examine database configuration for three of GSA\xe2\x80\x99s major IT systems that collect\nand store PII \xe2\x80\x93 STAR, FBO, and CWGT. Web application security scanning was also performed\non FBO. Automated techniques were used to verify the degree of implementation of GSA\xe2\x80\x99s\n\n\n6\n FY 2007 Office of Inspector General FISMA Review of GSA\xe2\x80\x99s Information Technology Security Program, Report\nNumber A070108/O/T/F07015, dated September 17, 2007.\n\n\n                                                    2\n\x0chardening guides, and we tested NIST SP 800-53 controls related to privacy, selecting a subset\nof controls from eight of the 17 control families.\n\nTo assess managerial, operational, and technical PII controls for the Privacy Act Program and for\nthe three systems tested, we relied on applicable statutes, regulations, policies, and operating\nprocedures, such as: the GSA Information Technology Security Policy, CIO P 2100.1D, June\n2007; GSA Privacy Act Program, CPO 1878.1, October 2003; Conducting Privacy Impact\nAssessments (PIAs) in GSA, CPO 1878.2, May 2004; Safeguarding Personally Identifiable\nInformation, CIO IL-06-02, August 2006; Federal Information Processing Standards Publication\n(FIPS PUB) 199, Standards for Security Categorization of Federal Information and Information\nSystems, February 2004; FIPS PUB 200, Minimum Security Requirements for Federal\nInformation and Information Systems, March 2006; NIST SP 800-53, Recommended Security\nControls for Federal Information Systems, February 2005; NIST SP 800-60, Guide for Mapping\nTypes of Information and Information Systems to Security Categorization Levels, June 2004;\nPublic Law 107-347, E-Government Act of 2002; OMB Circular A-130, Management of Federal\nInformation Resources, November 2000; the Privacy Act of 1974; the Federal Information\nSecurity Management Act of 2002; and the GSA CIO\xe2\x80\x99s IT procedural guides on password\ngeneration and protection, managing enterprise risk, access control, media sanitization, and\nauditing and monitoring. We also referenced OMB Memorandum M-06-16, Protection of\nSensitive Agency Information, June 23, 2006; OMB Memorandum M-03-22, OMB Guidance for\nImplementing the Privacy Provisions of the E-Government Act of 2002, September 2003; OMB\nMemorandum M-03-18, Implementation Guidance for the E-Government Act of 2002, August\n2003; OMB Memorandum M-06-19, Reporting Incidents Involving Personally Identifiable\nInformation and Incorporating the Cost for Security in Agency Information Technology\nInvestments, July 2006; and OMB Memorandum M-06-15, Safeguarding Personally Identifiable\nInformation, May 2006.\n\nWe conducted this performance audit work in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our audit objectives. We believe that the evidence obtained provides a reasonable basis\nfor our findings and conclusions based on our audit objectives. The scope of our work did not\nassess the accuracy and integrity of the data within the three Privacy Act systems tested or\nconsider controls for paper-based Systems of Records 7 .\n\n\n\n\n7\n According to the Privacy Act of 1974, a \xe2\x80\x9cSystem of Record\xe2\x80\x9d is a group of any records under the control of any\nagency from which information is retrieved by the name of the individual or by some identifying number, symbol,\nor other identifying particular assigned to the individual.\n\n\n                                                        3\n\x0c                                     RESULTS OF AUDIT\n\nAs the GSA Senior Agency Official for Privacy, the CHCO is responsible for establishing and\noverseeing the Agency\xe2\x80\x99s Privacy Act Program and for ensuring compliance with privacy laws,\nregulations and related Agency policy. With issuance of a benchmark report, the CHCO has\nhighlighted GSA\xe2\x80\x99s use of information in an identifiable form, identified the Agency\xe2\x80\x99s privacy\nand data protection policies and procedures, and required the use of certain technical controls to\nprotect PII. The OCHCO has worked with the GSA-CIO, who manages the Agency\xe2\x80\x99s IT\nSecurity Program, to issue a joint instructional letter which introduces Agency-specific policy\nand direction for protecting PII in GSA IT systems, including associated records of that\ninformation, such as printed paper documents or other storage media. GSA also recognizes the\nneed to eliminate unnecessary use of social security numbers in IT systems. However, while\nimprovements have been made to the GSA Privacy Act Program, key components are not yet in\nplace to ensure that PII is adequately protected from inappropriate access or modification. The\nPrivacy Act Program has not yet ensured that all required privacy controls are in place and\noperating effectively and that GSA Associates and contractors are fully aware of key roles,\nresponsibilities, and accountability for protecting PII across GSA\xe2\x80\x99s IT infrastructure. Improved\nmanagement controls are needed to guide GSA\xe2\x80\x99s Privacy Act Program, including a\ncomprehensive assessment of the adequacy of existing controls. Additionally, GSA needs to\nensure that all IT support contracts include the appropriate privacy related clauses to ensure that\ncontractors are aware of restrictions on Privacy Act data and their responsibilities for protecting\nPII. While the OCHCO has provided basic privacy awareness training to the majority of GSA\nAssociates and contractors, role-based privacy training is needed for GSA Associates and\ncontractors who are responsible for the protection of PII. Further, vulnerability scans performed\non a sample of major IT systems that collect and store PII revealed that software security patches\nhave not been consistently and promptly applied, leaving these systems vulnerable to known\nsecurity weaknesses. In response to evolving requirements aimed at improving the protection of\nPII and other sensitive information, including remote access to and transportation and storage of\nPII, GSA has taken steps to better protect PII; however, further action is needed to ensure that\nshared goals for preventing, detecting, and/or recovering from a PII security breach are\nestablished and achieved to manage escalating risks in this area.\n\nGSA\xe2\x80\x99s Privacy Act Program Has Not Yet Established Needed Safeguards\n\nGSA\xe2\x80\x99s Privacy Act Program is intended to ensure that the Agency fulfills the requirements of the\nPrivacy Act of 1974 and provides privacy and data protection procedures governing the\ncollection, use, sharing, disclosure, transfer, storage, and security of information in an\nidentifiable form relating to the Agency\xe2\x80\x99s employees and the public. However, improved\nmanagement controls are needed to guide GSA\xe2\x80\x99s Privacy Act Program, including a\ncomprehensive assessment of the adequacy of existing controls. Further, policies and procedures\nestablished with the Privacy Act Program have not fully considered PII that may be maintained\nacross GSA\xe2\x80\x99s broader IT system environment, including PII stored outside of major IT systems\nthat collect and store PII. Additionally, GSA needs to ensure that all IT support contracts include\nthe appropriate privacy related clauses to ensure that contractors are aware of restrictions on\nPrivacy Act data and their responsibilities for protecting PII. While basic privacy awareness\ntraining has been provided to all GSA Associates and contractors, role-based training for\n\n\n\n                                                4\n\x0cspecialized job functions that handle PII, such as Human Resource Specialists and Payroll\nSpecialists, is needed. This training would help ensure that all individuals with significant\nresponsibilities related to PII are informed of risks and that required controls for the protection of\nPrivacy Act information are in place and operating as intended.\n\nImproved Management Controls Are Needed to Guide the Agency\xe2\x80\x99s Privacy Act Program\n\nWithin GSA, primary management control responsibilities for protecting sensitive information,\nincluding PII, are dispersed among several key officials. The CHCO is the Senior Agency\nOfficial for Privacy, the GSA official responsible for establishing and overseeing the Agency\xe2\x80\x99s\nPrivacy Act Program and for ensuring GSA\xe2\x80\x99s compliance with privacy laws, regulations and\nGSA policy. GSA\xe2\x80\x99s CIO has overall responsibility for the Agency\xe2\x80\x99s IT Security Program and\nthe IT Capital Planning Program. As such, the CIO develops and implements security controls\nfor Privacy Act data by reviewing Privacy Impact Assessments (PIAs) that are prepared by GSA\nService and Staff Offices for security considerations for IT systems. The CIO is also responsible\nfor verifying that the development of PIAs is a part of GSA\'s IT Capital Planning and Investment\nControl Policy. System Authorizing Officials (AOs) also carryout key responsibilities for\nsecuring IT systems under their jurisdiction. Specifically, AOs are responsible for reviewing and\napproving PIAs for their organizations and for ensuring that identified Privacy Act systems that\nhandle privacy data meet information privacy and security requirements. They also review\nexisting and proposed IT Privacy Act systems in their organizations to assess the need to conduct\na PIA, coordinate the preparation of the PIA with program and system managers, and approve\nthe PIA for their organizations\n\nFollowing OMB M-06-15, Safeguarding Personally Identifiable Information, issued May 2006,\nthe OCHCO, as GSA\xe2\x80\x99s designated Senior Agency Official for Privacy, took steps to review the\nAgency\xe2\x80\x99s policies and processes, identify any deficiencies, and take corrective action as\nappropriate to ensure it has adequate safeguards to prevent the intentional or negligent misuse of,\nor unauthorized access to PII. In August 2006, a joint instructional letter 8 from the GSA-CIO,\nwho manages the Agency\xe2\x80\x99s IT Security Program, and the CHCO introduced Agency-specific\npolicy and direction for protecting PII in GSA IT systems, including associated records of that\ninformation, such as printed paper documents or other storage media. This instructional letter\nestablished security requirements beyond those established with GSA\xe2\x80\x99s IT Security Program to\nspecifically address risks with PII. Also, in August 2006, the OCHCO issued a benchmark\nreport on GSA\xe2\x80\x99s Privacy Act Program in response to Section 522 requirements within the\nAppropriations Act of 2005. The benchmark report discusses GSA\xe2\x80\x99s use of information in an\nidentifiable form, identifies the Agency\xe2\x80\x99s privacy and data protection policies and procedures,\nand requires the use of certain technical controls. This report was provided to OMB as part of\nthe Agency\xe2\x80\x99s response to specific privacy control questions required with FISMA for FY 2006.\nPolicies and procedures referenced in the report include controls established with GSA\xe2\x80\x99s IT\nSecurity Program. The Privacy Benchmark Report, however, did not: (1) comprehensively\naddress the adequacy of the implementation of existing controls in GSA PII systems, including\nthose established with the Agency IT Security Program; (2) identify deficiencies or improvement\ngoals for the Privacy Act Program; or (3) develop a plan for improving the existing Privacy Act\nProgram. A comprehensive agency-wide assessment, as required by M-06-15, is needed for\n8\n    Safeguarding Personally Identifiable Information, CIO IL-06-02, issued August 2006.\n\n\n                                                          5\n\x0cGSA to adequately ensure that required privacy controls have been implemented and that the\ncontrols are operating as intended for both manual and automated systems across GSA.\n\nIn September 2007, when responding to specific privacy related FISMA questions raised by\nOMB, we completed a qualitative assessment of the Agency\'s (1) Privacy Impact Assessment\n(PIA) process, including adherence to existing policy, guidance, and standards, and (2) progress\nto date in implementing the provisions of M-06-15. As part of our assessment, we considered\nactions and activities undertaken since the Agency\xe2\x80\x99s 2006 self-review, including the Agency\'s\npolicies and processes, and the administrative, technical, and physical means used to control and\nprotect PII. With our annual 2007 FISMA audit report 9 , we discussed progress made to date,\nincluding GSA\xe2\x80\x99s appointment of a Senior Agency Official for Privacy, completion of the privacy\nbenchmark report, updates to the IT Security Policy to reflect privacy requirements, and\nimplementation of a PIA process. We also considered outstanding goals to develop and\nimplement controls for encryption of PII stored on mobile devices or for accessing PII from\npersonally owned computers. We concluded that a comprehensive agency-wide assessment of\nthe adequacy of existing privacy controls for PII, including clarification of primary roles and\nresponsibilities for verifying the implementation of those controls, is a necessary step in moving\ntoward common goals and processes for the protection of PII. Our review of contracts for a\nsample of IT systems that collect and store PII also found that contracts for systems with PII do\nnot yet consistently include privacy-related FAR clauses. Further, security related patches have\nnot been consistently applied to automated systems, leaving some databases vulnerable to known\nsecurity threats.\n\nWhile improvements have been made to the GSA Privacy Act Program with increased controls\nfor PII, GSA has not comprehensively assessed the adequacy of implementation for existing\nprivacy controls in GSA PII systems and key roles and responsibilities for verifying the\nimplementation of those controls have not been documented. To promote the establishment of\nimproved policies and procedures to manage risk with PII, it is important that GSA clearly\ncommunicate its long-term goals and milestones to guide the Privacy Act Program. While\nresponsibilities for protecting PII lie with various entities in GSA, a program implementation\nplan highlighting key milestones and performance goals and measures is not in place to guide the\nvarious players in implementing GSA\xe2\x80\x99s Privacy Act Program. Accountability is important for\nthe success of GSA\xe2\x80\x99s Privacy Act Program and should guide a program implementation plan that\nwill assist with managing and protecting GSA\xe2\x80\x99s PII. A program implementation plan would\nfurther guide coordination amongst key officials responsible for privacy data and ensure these\nofficials accurately reflect agency-wide privacy policies and procedures. Such a plan would\nidentify all key players involved in implementing the Privacy Act Program and identify\nnecessary communication activities and information flows to protect PII. Improved management\ncontrols, including a program implementation plan to guide the Agency\xe2\x80\x99s Privacy Act Program,\nare needed to ensure successful coordination of privacy responsibilities at all levels within GSA.\n\n\n\n\n9\n FY 2007 Office of Inspector General FISMA Review of GSA\xe2\x80\x99s Information Technology Security Program, Report\nNumber A070108/O/T/F07015, dated September 17, 2007.\n\n\n                                                    6\n\x0cPrivacy Policies and Procedures Have Not Fully Considered PII Maintained Outside of Major IT\nSystems that Collect and Store PII\n\nFor the FY 2007 timeframe, GSA\xe2\x80\x99s Privacy Act Program identified 18 major IT systems that\ncollect and store PII. Specific IT controls required for PII include policy stating that employees\nshall not remove PII from GSA facilities or access PII remotely unless approved in writing and\nthat PII shall not be stored on or accessed from personally owned computers or personally owned\nmobile devices. GSA\xe2\x80\x99s IT Security Policy also states that PII shall be stored on network drives\nand/or in application databases with proper access controls and shall be made available only to\nthose individuals with a valid need to know and that encryption is required when exchanging PII\nvia e-mail or when stored on workstations or mobile devices. However, the Privacy Act\nProgram has not yet ensured that PII stored on laptops and servers or in databases or applications\nthat are not considered part of a major IT system is identified and protected. Specifically, over\nthe past year we have identified numerous instances where PII stored outside of major IT\nsystems was placed at undue risk. Controls for GSA\xe2\x80\x99s Privacy Act data could be more robust to\nbetter address known risks associated with all PII, including PII stored outside of major IT\nsystems that collect and store PII. Technical controls, such as automated content management\nand data leakage technologies are readily available, and the use of such tools to facilitate the\nidentification or storage of PII across GSA\xe2\x80\x99s entire system environment is currently being\nevaluated by the OCIO. Until such tools are provided to system officials responsible for privacy\ncontrols, compensating controls and mechanisms (manual or automated) should be considered to\nidentify and protect PII stored outside of major IT systems throughout GSA\xe2\x80\x99s IT infrastructure.\n\nMany of the recent OMB Memoranda, including OMB Memorandum M-06-16 and an OMB\nMemorandum titled the \xe2\x80\x9cTop 10 Risks Impeding the Adequate Protection of Government\nInformation,\xe2\x80\x9d stipulate specific actions that should be taken to protect sensitive information.\nWhile the joint instructional letter issued by the CHCO and the CIO initially was provided to\nestablish additional policy and direction for protecting PII in IT systems and any associated\nrecord, the current CIO IT Security Policy with updated security requirements does not address\nprivacy controls for PII that is stored outside of major IT systems. Such controls are needed to\naddress the risk inherent with PII stored and transmitted across and outside the GSA IT\ninfrastructure. In September 2007, we identified two privacy control vulnerabilities where we\nwere able to access social security numbers (SSNs) for several Federal government employees\nand owners of sole proprietorship operated businesses on a website accessible through GSA\xe2\x80\x99s\nIntranet. Over the past few months, we also discovered that access controls were not adequately\nassessed to ensure the appropriate level of protection for databases that contain PII for two\nPrivacy Act systems using the Business Objects reporting software 10 . In one instance, an\nauthorized user from a client agency, while utilizing one of the Business Objects reporting tools,\nwas able to produce a report that displayed over 40,000 employee records containing sensitive\nemployee data for several agencies, including GSA. We also recently reported 11 to the GSA-\nCIO that Lotus Notes databases were developed and implemented without having appropriate\naccess controls in place to prevent unauthorized access to PII, including date of birth, name, and\n\n10\n   The Business Objects utility is a commercial off the shelf product that is used to run queries and reports against\ndatabases.\n11\n   Alert Report on Security of GSA\xe2\x80\x99s Electronic Messaging Services (GEMS) and National Notes Infrastructure\n(GNNI), Report Number A070180/O/T/W07001, dated September 12, 2007.\n\n\n                                                           7\n\x0cSSN. The OCIO has begun taking steps to remediate reported vulnerabilities for the Agency\xe2\x80\x99s\nLotus Notes databases; however, these examples, together, demonstrate the need to ensure that\neffective controls are in place to better protect PII, including PII that is stored outside systems\ndesignated as major IT systems, from unauthorized disclosure and access and to preserve\nauthorized access restrictions.\n\nAppropriate Privacy-Related Clauses Are Needed in All IT Contracts\n\nIn 2003, we reported the need to place restrictions or penalties on unauthorized disclosures and\nfor GSA IT service contracts to specifically state requirements to protect Privacy Act data. Since\nthen, the Office of Acquisition Policy has developed contract clauses in the Federal Acquisition\nRegulations (FAR) to cover Privacy Act information. According to the FAR, when the design,\ndevelopment, or operation of a system of records on individuals is required to accomplish an\nagency function, the contracting officer shall insert the following clauses in solicitations and\ncontracts: (a) The clause at 52.224-1, Privacy Act Notification and (b) The clause at 52.224-2,\nPrivacy Act. The GSA IT Security Policy, updated in June 2007, states that all GSA contracts\nand Request for Proposals (RFP) involving Privacy Act information must adhere to the FAR\nPrivacy Act provisions and include the specified contract clauses, as appropriate, to ensure that\npersonal information and the system data are protected as mandated, by contractors who work on\nGSA-owned IT systems. However, based on our analysis, IT support contracts for GSA systems\nwith PII still do not consistently include the required privacy-related FAR clauses. During an\nimplementation review of the recommendations from our previous report, we analyzed four IT\nsupport contracts for three major IT systems that collect and store PII \xe2\x80\x93 the Payroll Accounting\nand Reporting (PAR) system, GSAJobs, and the Comprehensive Human Resources Integrated\nSystem (CHRIS) - and found that two of the contracts did not include or reference the requisite\nFAR clauses. In 2007, we analyzed IT support contracts for three additional Privacy Act\nsystems \xe2\x80\x93 STAR, CWGT, and FBO. Two of these three IT support contracts did not include or\nreference the appropriate FAR clauses related to privacy. We were informed that the Office of\nthe Chief Acquisition Officer (OCAO) Office of Acquisition Integrity has agreed to work with\nthe OCHCO Information Resources and Privacy Management Division during FY 2008 to\nreview a sample of contracts for major IT systems that collect and store PII to verify whether or\nnot the contracts include the appropriate privacy-related FAR clauses. Without the assurance of\nadequate contract provisions for protecting Privacy Act data required for these important\nsystems, GSA cannot be sure that contractors are aware of restrictions on Privacy Act data and\ntheir responsibilities for protecting PII. Such provisions are also needed to adequately prepare\nfor a potential PII security breach and to respond effectively as needed to manage the\nconsequences of unauthorized access to PII, including the threat of identity theft.\n\nRole-Based Training Is Necessary to Clarify Privacy Responsibilities\n\nTightened IT security and data privacy is intended to better protect sensitive information,\nincluding PII that can be easily transported outside Federal buildings. However, it is essential\nthat GSA Associates and contractors, who are increasingly relied on and entrusted with access to\nPrivacy Act data, fully understand the need to safeguard PII and that those with significant\nprivacy responsibilities agree to protect such sensitive data. While GSA has provided basic\nprivacy awareness training to the majority of GSA Associates and contractors, this training did\n\n\n\n                                                8\n\x0cnot address OMB Memorandum M-06-16 requirements regarding the protection of remote\naccess, storage, and transportation of PII. Role-based privacy training, which would provide job-\nspecific and comprehensive information privacy training for all GSA Associates and contractors\ndirectly involved in the administration of personal information, has not yet been provided.\nInitially, OCHCO planned to implement role-based privacy training in 2006; however, the\ntraining has been postponed. The OCHCO now plans to begin role-based privacy training in\nearly 2008. This training is intended to provide best practices for handling and disseminating PII\nand will be made available to persons whose jobs require the handling and use of PII, such as\nHuman Resource Specialists and Payroll Specialists. Without sufficient role-based privacy\ntraining for GSA Associates and contractors responsible for the protection of PII, this sensitive\ninformation may not be adequately protected from unauthorized or unintentional disclosure\nand/or modification.\n\nSystem Vulnerability Tests Revealed Weaknesses in Configuration and Patch Management\n\nWe applied commercially available tools, manual techniques, and agreed upon procedures to test\ncontrols for three of GSA\'s major IT systems that collect and store PII 12 . Testing included\nconducting network security scans, examining database configuration, and reviewing web\napplication security. We found that improvements in system configuration settings and timely\npatch management are needed to secure these systems and protect PII. Specific vulnerabilities\nfor the three major IT systems tested are included in Appendix C. Due to the sensitive nature of\nthe information contained in this appendix, only reports provided to the Offices of the CHCO\nand CIO contain detailed scanning results.\n\nSystem Configuration Settings Improvements Are Needed\n\nConfiguration management provides a structured methodology for applying technical and\nadministrative changes and monitors the results of changes throughout the resource life cycle.\nConfiguration management provides assurance that the IT resource in operation is the correct\nversion (configuration) and changes to be made are reviewed for security implications prior to\nimplementation. Configuration management helps ensure changes to IT systems take place in an\nidentifiable and controlled environment and do not unintentionally harm any of the IT resource\xe2\x80\x99s\nproperties, including its security. Changes to the IT resource have security implications because\nthey may introduce or remove vulnerabilities and because changes require updating of IT\nSecurity documentation (e.g. contingency plan, risk assessment, etc.), and may impact\naccreditation. Configuration management weaknesses were found within the hardware,\nsoftware, and database platforms for all three of the GSA major IT systems that collect and store\nPII selected for testing. On one of the systems tested, much of the hardware had reached its end-\nof-life (EOL) date and is no longer supported by the manufacturer. The operating system and the\ndatabase management system (DBMS) could not be upgraded due to compatibility issues, and\nmany of the latest software patches and security enhancements could not be installed, exposing\nthe system to many known vulnerabilities. Operating system patches were also needed in\nanother system to correct outdated and vulnerable mail service software. Unnecessary services\nwere found on two systems, leaving potential entry points for unauthorized access.\n\n12\n  The systems tested during this review were the System for Tracking and Administering Real-Property (STAR),\nFedBizOps (FBO), and the Carlson Wagonlit e-Travel System (CWGT).\n\n\n                                                      9\n\x0cConfiguration weaknesses were also found in one of the web-based applications tested. Two of\nthese weaknesses provided information that could have assisted an unauthorized user in\nperforming a malicious attack and allowed users to create weak passwords. Controls should be\nin place to ensure that GSA\xe2\x80\x99s systems are appropriately hardened to reduce risk of inadvertent or\nunauthorized access to PII.\n\nTimely Patch Management Could Reduce Security Vulnerabilities\n\nTechnical scanning conducted on the same three systems indicated that the periodic cumulative\nDBMS patches have not been applied in a timely fashion, exposing these systems to numerous\nknown vulnerabilities. For example, testing conducted on February 26, 2007 revealed that one\nof GSA\'s systems using a Sybase DBMS had not yet applied a cumulative patch released on\nApril 14, 2006, 10 months after the patch was released. Tests performed on March 15, 2007\nindicated that one of GSA\'s Oracle DBMS-based systems had not yet applied an Oracle critical\nupdate released in July 2005, approximately 20 months after the patch was released. Scans\nperformed against another GSA Oracle DBMS-based system, performed on April 23, 2007,\nindicated that Oracle critical updates released in January 2007 had not been installed and were\nscheduled for installation on the production database in October 2007, 10 months after the patch\nwas released 13 . Timely patch management is needed to mitigate the risk of exposure to known\nvulnerabilities and potential unauthorized access to PII in Agency major IT systems that collect\nand store PII.\n\nImplementing Specific Controls for PII Requires Additional Actions\n\nOver the past two years, OMB memoranda have highlighted the importance of privacy officers\nin Federal agencies, including specific actions intended to better protect PII. OMB memoranda\naddressed to heads of agencies and departments, include M-06-16, issued in June 2006, and M-\n07-16, issued in May 2007. M-06-16 requires that agencies assess their baseline of privacy\nactivities and properly safeguard their assets while using information technology to compensate\nfor the lack of physical security controls when information is removed from, or accessed from\noutside the agency location. Specifically, agencies are to review their privacy controls against a\nchecklist for protection of remote information and implement four additional controls within 45\ndays of the issuance of the memorandum. M-07-16 requires that agencies develop and\nimplement a breach notification policy to outline the framework within each agency for ensuring\nthat the proper safeguards are in place to protect sensitive information within 120 days from the\ndate of the memorandum. To address increased risk with PII, the use of social security numbers\n(SSNs) in agency systems and programs should be carefully reassessed to identify instances in\nwhich collection or use of the SSN is superfluous. OMB requires a plan to guide in the\nelimination of unnecessary collection and use of SSNs within 18 months. Although GSA has\nmade progress toward implementing better safeguards for protecting PII and in meeting new\nprivacy requirements, additional actions are needed to establish such important controls required\nto manage the escalating risks with PII.\n\nOMB Memorandum M-06-16 directed all departments and agencies to take the following\nactions: (1) encrypt all data on mobile computers/devices which carry agency data unless the\n13\n     We confirmed that these updates were applied with a patch in October 2007, as intended.\n\n\n                                                          10\n\x0cdata is determined to be non-sensitive, in writing, by the agency Deputy Secretary or an\nindividual he/she may designate in writing; (2) allow remote access only with two-factor\nauthentication where one of the factors is provided by a device separate from the computer\ngaining access; (3) use a \xe2\x80\x9ctime-out\xe2\x80\x9d function for remote access and mobile devices requiring user\nre-authentication after 30 minutes of inactivity; and (4) log all computer-readable data extracts\nfrom databases holding sensitive information and verify that each extract including sensitive data\nhas been erased within 90 days or its use is still required. While the GSA-CIO IT Security\nPolicy requires that all four requirements from M-06-16 be implemented in GSA\xe2\x80\x99s IT systems,\nalmost one and a half years after the controls were to be implemented, three of the four\nprovisions have not been fully implemented. Specifically, GSA has not yet implemented an\nencryption solution to force users to encrypt PII stored on GSA user workstations or mobile\ndevices. GSA is in the process of preparing a deployment schedule for an encryption solution\ncalled Credant. According to officials in the OCIO, the infrastructure is in place to deploy the\nsolution, and GSA plans to complete a pilot of the technology before the full-scale deployment.\nThe initial version of Credant that GSA planned to implement did not allow for automatic\nencryption of USB devices 14 , however, according to GSA CIO\xe2\x80\x99s office, a new version has\nrecently been released that has made USB encryption policies easier to implement. GSA plans to\nimplement this version in the spring of 2008, along with the laptop rollout.                   Without\nenforcement of these controls, either automated or through other compensating measures, it is up\nto the individual user to ensure that PII is encrypted as required. In addition, two-factor\nauthentication for electronic portable devices that contain PII, where one of the factors is\nprovided by a device separate from the computer gaining access, has not yet been implemented.\nRather than investing significant resources to develop and implement a solution for two-factor\nauthentication that may not be in compliance with Homeland Security Presidential Directive\n(HSPD)-12, GSA plans to address this requirement with its HSPD-12 solution. GSA has tested a\ntwo-factor authentication solution and is working on the standard for readers on the desktops and\nlaptops for a pilot, planned for approximately 50 users. Further, GSA has not implemented the\ncontrol requiring that computer-readable data extracts from databases holding PII be logged and\nerased within 90 days unless its use is still required, as officials have stated that they are unaware\nof any immediate viable solution to implement this control.\n\nIn assessing the Agency\xe2\x80\x99s adherence to the security checklist provided with OMB Memorandum\nM-06-16, we found that GSA has implemented controls for confirming the identification of PII\nprotection needs. GSA has also partially implemented controls for verifying the adequacy of\norganizational policy and protecting the transportation and remote storage of and remote access\nto PII. However, these controls are being provided primarily at the policy and/or procedures\nlevel and have not been fully implemented with GSA\xe2\x80\x99s PII systems and extended IT\ninfrastructure. Agency-wide responsibility for ensuring that these controls have been\nimplemented per privacy policy has not yet been established, and GSA has not yet implemented\nthe following controls: (1) controls enforcing no remote storage/transportation of and no remote\naccess to PII, when not permitted; (2) controls enforcing that remote transportation/storage of\nand remote access to PII be encrypted; and (3) controls enforcing allowed downloading of PII.\n\nFurther, OMB Memorandum M-07-16 identified additional controls required for PII and\nspecifies that responsibility for safeguarding PII is shared by officials accountable for\n14\n     A USB device is a mobile storage device that could be used to store sensitive information.\n\n\n                                                           11\n\x0cadministering operational and privacy and security programs, legal counsel, Agencies\xe2\x80\x99 Inspectors\nGeneral and other law enforcement, and public and legislative affairs. The memorandum\nrequires that agencies implement a breach notification policy and outlines a framework to ensure\nthat the proper safeguards are in place to protect privacy information. It also requires that\nagencies reassess the need to collect and use SSNs within IT systems and develop a plan to\neliminate the use and collection of SSNs where superfluous. The Agency has been working to\nmeet the requirements of M-07-16 and has issued an Information Breach Notification Policy15\nvia an instructional letter on September 21, 2007 to provide policy on what actions should be\ntaken when it is determined that PII has been compromised. GSA has identified initial milestones\nfor collecting information from system owners on whether their system collects SSNs and, if so,\nfor what purpose. System owners were also asked what impact discontinued use of SSNs may\nhave on their systems. By the end of December 2007, GSA was to make decisions as to which\nspecific systems need to continue to collect/use SSNs. GSA recognizes the need to lessen the\nuse of SSNs but also realizes that some systems will not be able to function without collecting\nthis data element. While GSA has made initial efforts in determining how to reduce the\ncollection and use of SSNs, a detailed plan that identifies key activities, milestones, and\nperformance measures to remove use of SSNs, where superfluous, has not yet been developed.\nAlthough GSA has made progress toward implementing better safeguards for protecting PII and\nin meeting new privacy requirements, additional actions are needed to establish required privacy\ncontrols and manage the escalating risks with PII to ensure that PII is not put at risk of\nunauthorized or unintentional disclosure.\n\nConclusion\n\nWithin GSA, the CIO and CHCO share responsibility and accountability for developing,\nimplementing and administering the Agency\xe2\x80\x99s controls for protecting PII. Additionally, the\nOffice of Acquisition Policy within the OCAO is responsible for developing, coordinating, and\nobtaining the required public comments and clearance on FAR clauses related to privacy and the\nprotection of sensitive personal information. GSA has taken steps toward improving the\nprotection of PII, including revisions to the GSA IT Security Policy to provide additional\nsafeguards for PII and the implementation of a Privacy Act Program that identifies roles and\nresponsibilities for protecting PII. GSA has also established a minimum level of controls\nrequired for Privacy Act systems which address specific PII challenges, including the potential of\nunauthorized or unintentional disclosure of privacy information. However, improvements to the\nGSA Privacy Act Program are needed to ensure that PII is consistently protected and that risk of\nunauthorized or unintentional disclosure to such sensitive information is further reduced.\nEmploying effective controls to protect PII data across the Agency\xe2\x80\x99s system environment,\nwhether the information is stored within an information system or on network or removable\nstorage devices, is necessary to ensure that GSA Associates and contractors have a clear\nunderstanding of both the technical and human aspects of securing privacy information as well as\nacknowledging the need to address not only what is required by law but also what is expected by\nAgency policy. An effective Privacy Act Program would also verify that required controls have\nbeen implemented and ensure that GSA Associates and contractors have received both basic\nprivacy awareness training as well as specialized role-based or job-specific training to ensure\n\n15\n  For this review, we verified that the Breach Notification Policy has been developed for GSA, but we did not\nassess the adequacy of or adherence to the policy.\n\n\n                                                        12\n\x0cthat those responsible for protecting PII are aware of their responsibilities and the consequences\nof not adequately protecting such sensitive information. Further, improvements to ensure\ncompliance with Agency patch management and system configuration policies and procedures\nwould better ensure that system database and web application servers that store PII are not\nvulnerable to known exploits.         Given their shared responsibility for developing and\nimplementing controls for the protection of PII, clarification of roles and responsibilities between\nthe CIO and CHCO regarding verification of the implementation of privacy-related controls\nwould assist the two offices with managing and monitoring their respective security and privacy\nprograms and ensure that key components necessary for an effective Privacy Act Program have\nbeen identified, developed, and implemented.\n\nRecommendations\n\nTo better manage risks of unauthorized or unintentional disclosure of personally identifiable\ninformation (PII), we recommend that the Chief Human Capital Officer:\n    (1) Develop an implementation plan for the Privacy Act Program which identifies key roles,\n        responsibilities, milestones, and management performance measures to achieve long-term\n        improvement goals.\n    (2) Work closely with the Chief Information Officer to establish collaborative agency-wide\n        procedures to:\n            (a)    Ensure that the Privacy Act Program is integrated with the Agency\xe2\x80\x99s security\n                   program and assesses risk with and identifies controls for all PII, including PII\n                   residing outside of major IT systems.\n            (b)    Periodically assess the need for and potential uses of automated content\n                   management and data leakage tools or other procedures to assist in identifying\n                   and protecting PII within GSA\xe2\x80\x99s IT and system environment.\n            (c)    Confirm that required security hardening guides are being appropriately\n                   followed and that identified vulnerabilities are promptly recorded and\n                   mitigated for major IT systems that collect and store PII.\n            (d)    Implement remaining privacy controls required by M-06-16, including\n                   encryption and two-factor authentication for systems maintaining PII.\n            (e)    Develop a plan that includes the key activities, milestones, and performance\n                   measures necessary to guide GSA in discontinuing the collection and storage\n                   of SSNs in IT systems where no longer required.\n    (3) Work with the Office of the Chief Acquisition Officer to review contracts in support of\n        major IT systems that collect and store PII to ensure that the appropriate privacy clauses\n        have been included and that contractors supporting Privacy Act Systems of Records are\n        aware of and fulfill their roles and responsibilities for protecting GSA\'s PII.\n    (4) Complete development and implementation of role-based training for GSA Associates\n        and contractors who are responsible for protecting sensitive information, including PII.\n\nManagement Comments\n\nThe CHCO and CIO provided consolidated management comments on March 28, 2008 on\nspecific audit findings and recommendations in response to our draft report. The comments\nindicate a general concurrence with our audit findings and recommendations, and a copy of the\n\n\n\n                                                13\n\x0ccomments is included as Appendix D. The CHCO and the CIO agreed with our recommendation\nto develop an implementation plan for the Privacy Act Program which identifies key roles,\nresponsibilities, milestones, and management performance measures to achieve long-term\nimprovement goals. Management also acknowledged the need to do more to protect PII and\nidentified planned actions to meet audit recommendations.      Management comments indicate\nthat the CHCO will work closer with the OCIO to ensure that hardening guides are being\nappropriately applied and that the CHCO is working with the Office of Procurement\nManagement Review, Office of Acquisition Integrity to randomly audit Privacy Act systems to\nensure that the proper FAR clauses are included. In response to our recommendation to\nimplement remaining privacy controls required by OMB Memorandum M-06-16, management\ncomments provided additional information on the status of two of the three remaining\nrequirements. The response also stated that GSA was unaware of a technical means to log all\ncomputer-readable data extracts from databases holding sensitive information and verify that\neach extract including sensitive data has been erased within 90 days or its use is still required.\nWhile management comments explained that some manual processes are being used in a limited\ncapacity to support this requirement, we reaffirm the importance of determining an automated\nmethod to implement this control.\n\nManagement comments highlight activities recently completed and planned related to our\nrecommendation to develop a plan that includes key activities, milestones, and performance\nmeasures necessary to guide GSA is discontinuing the collection and storage of SSNs in IT\nsystems where no longer required. In response to our recommendation to complete development\nand implementation of role-based training for GSA Associates and contractors responsible for\nprotecting sensitive information, including PII, management comments discuss goals to begin\nrole-based training and highlight a 95% completion rate of the Privacy Awareness training over\nthe past year. Management comments in response to our recommendation to assess the need for\nand potential uses of automated content management and data leakage tools or other procedures\nto assist in identifying and protecting PII within GSA\xe2\x80\x99s IT and system environment explain that\nthe OCIO is currently evaluating data leakage prevention tools to assist in identifying and\nprotecting PII within GSA\xe2\x80\x99s IT and system environment. While evaluating automated content\nand data leakage tools is a first step toward better protecting PII stored outside of IT systems that\nmaintain Privacy Act data, our audit found that the Privacy Act Program has not yet ensured that\nPII stored on laptops and servers or in databases or applications that are not considered part of a\nmajor IT system is identified and protected as needed. Over the past year we identified\nnumerous instances where PII stored outside of major IT systems was placed at undue risk.\nTherefore, we reaffirm the need to better ensure that all PII in GSA\xe2\x80\x99s IT systems environment be\nidentified and properly protected from unauthorized access, modification, and disclosure.\n\nInternal Controls\n\nAs part of our review, we assessed the effectiveness of the Agency\xe2\x80\x99s Privacy Act Program and\nthe implementation of controls for the protection of Privacy Act data. This audit included a\nreview of selected management, operational, and technical controls relating to privacy for three\nof GSA\xe2\x80\x99s major IT systems that collect and store PII \xe2\x80\x93 FBO, STAR, and CWGT. This report\nstates in detail the need to strengthen specific controls in order to strengthen the Privacy Act\nProgram and better implement controls to protect PII.\n\n\n\n                                                 14\n\x0c                                                           IMPROVEMENTS TO THE GSA PRIVACY ACT\n                                                            PROGRAM ARE NEEDED TO ENSURE THAT\n                                                           PERSONALLY IDENTIFIABLE INFORMATION\n                                                               (PII) IS ADEQUATELY PROTECTED\n                                                              REPORT NUMBER A060228/O/T/F08007\n\n                                                            Appendix A \xe2\x80\x93 GSA Data Collection Instrument\n\nThis data collection instrument (DCI) was developed by the FAEC IT Committee of the PCIE/ECIE to assist IGs in determining their agency\'s compliance with OMB\nMemorandum M-06-16. The data collection instrument contains three parts. The first part is based on a security checklist developed by NIST (see Section 1 below). Questions in\nthe DCI are designed to assess Agency requirements in the memorandum, which are linked to NIST SP 800-53 and 800-53A. Each IG can use the associated checklist and the\nrelevant validation techniques for their own unique operating environment. Section 2 is the additional actions required by OMB M-06-16. Section 3 should document your overall\nconclusion as well as detailed information regarding the type of work completed and the scope of work performed.\n\nFor each overall Step and Action Item, please respond yes, no, partial, or not applicable. For no, partial, and not applicable responses, please provide additional information in\nthe comments sections. After the yes, no, partial, or not applicable response, IG\'s have the option to provide an overall response using the six control levels as defined below for\nthe overall Step. Each condition for the lower level must be met to achieve a higher level of compliance and effectiveness. For example, for the control level to be defined as\n"Implemented", the Agency must also have policies and procedures in place. The determination of the control level for each step should be based on the responses provided to the\nAction Items included in that step.\n\nControls Not Yet in Place - The answer would be "Controls Not Yet in Place" if the Agency does not yet have documented policy for protecting PII.\nPolicy - The answer would be "Policy" if controls have been documented in Agency policy.\nProcedures - The answer would be "Procedures" if controls have been documented in Agency procedures.\nImplemented - The answer would be "Implemented" if the implementation of controls has been verified by examining procedures and related documentation and interviewing\npersonnel to determine that procedures are implemented.\nMonitor & Tested - The answer would be "Monitor and Tested" if documents have been examined & interviews conducted to verify that policies and procedures for the question\nare implemented and operating as intended.\nIntegrated - The answer would be "Integrated" if policies, procedures, implementation, and testing are continually monitored and improvements are made as a normal part of\nagency business processes.\n\n                                          PLEASE PROVIDE YOUR RESPONSES USING THE DROP DOWN MENU IN GRAY\n\n\n\n\n                                                                                        A-1\n\x0cSection One\n                                                                Security Controls and Assessment Procedures\n\n     Security Checklist For Personally Identifiable\n        Information That Is To Be Transported\n           and/ or Stored Offsite, Or That Is To Be\n                   Accessed Remotely\n\n\n                                                                     REQUIRED RESPONSE                                    OPTIONAL                  RESPONSE\n                                                                                                          Controls Not Yet in Place\n                                                                                Yes                       Policy\n                                                                               No                         Procedures\n                        Procedure                                             Partial                     Implemented\n                                                                          Not Applicable                  Monitor & Tested\n                                                                                                          Integrated\n STEP 1: Has the Agency confirmed identification of\npersonally identifiable information protection needs?\nIf so, to what level?                                      Yes                                              Procedures\nAction Item 1.1: Has the Agency verified information\ncategorization to ensure identification of personal\nidentifiable information requiring protection when\naccessed remotely or physically removed?                   Yes\nComments: GSA has verified information categorization to ensure identification of PII requiring protection when accessed remotely or physically removed. GSA uses FIPS PUB\n199 as guidance for assigning security categorization level within PII systems and has an automated system to help with and provide rigor to the process. Annually, the CPO\nrequires PIAs be developed for (1) existing PII systems that have undergone a significant change since last year (such as changes in the collection or flow of data, new uses or\ndisclosure of information, or incorporation of additional data items); (2) new systems containing personal information about members of the general public that have been\ndeveloped since last year\xe2\x80\x99s PIA submissions; and (3) all systems with personal information about Federal government employees. The CPO provides a template for use in\ncompleting PIAs for GSA\'s PII systems.\n\n\nAction Item 1.2: Has the Agency verified existing risk\nassessments?                                              Yes\n\n\n\n\n                                                                                        A-2\n\x0cComments: GSA has verified existing risk assessments. For 5 of GSA\'s 18 PII systems, risk assessments have not yet been updated to address remote access and physical removal\nof PII data; however, most of these systems are undergoing certification and accreditation.\nOVERALL STEP 1 COMMENTS: GSA has defined PII as \xe2\x80\x9cany personal information that is associated with a unique identifier and can be accessed through that identifier. A\npersonal identifier usually is a name plus another piece of information such as a Social Security Number (SSN), but can be any designation that is unique to a particular person.\nPersonal information, for Federal government purposes, is any information that is protected by the Privacy Act. This includes personal information collected about public\nindividuals. It also includes information collected about Federal personnel, with some exceptions for work-related information. In addition to name and SSN, some PII examples\nare a name plus home street and e-mail addresses, home and emergency telephone numbers, date of birth, marital status, race, sex, national origin, qualifications, medical history,\nprivate sector employment history, financial and credit records, grievances and appeals, legal and arrest records, and information about some (but not all) personnel actions.\xe2\x80\x9d GSA\nhas identified 18 PII systems and designated each PII system as a moderate impact system. GSA has verified information categorization to ensure identification of PII requiring\nprotection when accessed remotely or physically removed and verified existing risk assessments.\n\n\n\n                                                                                     REQUIRED RESPONSE                                OPTIONAL                 RESPONSE\n                                                                                                                               Controls Not Yet in Place\n                                                                                                Yes                            Policy\n                                                                                                No                             Procedures\n                              Procedure                                                        Partial                         Implemented\n                                                                                           Not Applicable                      Monitor & Tested\n                                                                                                                               Integrated\n\nSTEP 2: Has the Agency verified the adequacy of organizational                                                                 Policy\npolicy? If so, to what level?                                          Partial\nAction Item 2.1: Has the Agency identified existing organizational\npolicy that addresses the information protection needs associated with\npersonally identifiable information that is accessed remotely or\nphysically removed?                                                    Yes\nComments: GSA has verified the adequacy of organizational policy. Recent joint policy from the CIO and CPO establishes requirements for remote access to and physical\nremoval of PII; however, there is no enforcement of these controls.\n\n\n\n\n                                                                                       A-3\n\x0cAction Item 2.2: Does the existing Agency organizational policy address the\ninformation protection needs associated with personally identifiable\ninformation that is accessed remotely or physically removed?                        Partial\n        1. For Personally Identifiable Information physically removed:\n           a. Does the policy explicitly identify the rules for determining\nwhether physical                                                                    Yes\n                removal is allowed?\n             b. For personally identifiable information that can be removed, does\nthe policy                                                                          Partial\n              require that information be encrypted and that appropriate\nprocedures, training\n             and accountability measures are in place to ensure that remote\nuse of this\n             encrypted information does not result in bypassing the protection\nprovided by\n              the encryption?\n\n\n        2. For Personally Identifiable Information accessed remotely:\n           a. Does the policy explicitly identify the rules for determining\nwhether remote                                                                      Partial\n               access is allowed?\n\n\n             b. When remote access is allowed, does the policy require that this\naccess be                                                                           No\n              accomplished via a virtual private network (VPN) connection\nestablished using\n               agency-issued authentication certificate(s) or hardware tokens?\n\n\n\n\n                                                                                              A-4\n\x0c           c. When remote access is allowed, does the policy identify the rules\nfor                                                                               Yes\n              determining whether download and remote storage of the\ninformation is\n              allowed? (For example, the policy could permit remote access to\na database,\n               but prohibit downloading and local storage of that database.)\nComments: Policy states that an employee shall not remove PII from GSA facilities (including GSA managed programs housed at contractor facilities under contract), or\naccessed remotely, without written permission from the employee\xe2\x80\x99s supervisor, the data owner, and the IT system authorizing official. This applies to electronic media (e.g.\nlaptops, Blackberries, USB drives), paper, and any other media (e.g., CDs/DVDs) that may contain PII. Policy states that if it is a business requirement to store PII on GSA user\nworkstations or mobile devices including, but not limited to notebook computers, USB drives, CD-ROMs/DVDs, personal digital assistants and Blackberries, PII must be\nencrypted using an approved NIST algorithm, i.e., 3DES or AES. Certified encryption modules must be used to the greatest extent possible in accordance with FIPS PUB 140-2.\nRecommended methods of file encryption are also provided. Policy requires PII e-mailed within the GSA network or transmitted over the Internet to be encrypted. Basic privacy\ntraining has been provided to almost 80% of GSA Associates and contractors; however, this training does not instruct employees and contractors on how to implement or use\nencryption technologies during remote access or physical removal of data on mobile devices. Policy states that the Authorizing Official or their designee must grant remote\naccess (i.e. external to GSA\xe2\x80\x99s network) privileges only to those GSA Associates and contractors with a legitimate need for such access as approved; however, there is no clear\ncriteria for determination of remote access authorization. GSA has implemented a VPN solution for remote access but utilizes user name and password for authentication rather\nthat an agency-issued certificate or a hardware token. Policy requires sensitive data on mobile storage devices that are removed from GSA premises be password protected or\nencrypted. While policy addresses the requirements for remote access to and physical removal of PII data, controls are not enforced to ensure compliance with established policy.\n\n\nAction Item 2.3: Has the organizational policy been revised or developed as\nneeded, including steps 3 and 4?                                                  Yes\nComments:\n\n\nOVERALL STEP 2 COMMENTS: GSA has verified the adequacy of organizational policy and updated policy as needed; however, GSA does not perform any checks to ensure\nthat policies and procedures established for the protection of PII are consistently implemented. There is no clear criteria stated for determination of remote access authorization,\nand the Privacy Act training currently deployed by GSA does not instruct employees and contractors on how to implement or use encryption technologies during remote access or\nphysical removal of data on mobile devices. GSA uses a VPN for remote access but does not use an agency-issued certificate or hardware token for authentication.\n\n\n\n\n                                                                                        A-5\n\x0c                                                                                                                                                        OPTIONAL\n                                                                                                  REQUIRED RESPONSE                                     RESPONSE\n                                                                                                                                           Controls Not Yet in Place\n                                                                                                           Yes                             Policy\n                                                                                                           No                              Procedures\n                                   Procedure                                                              Partial                          Implemented\n                                                                                                      Not Applicable                       Monitor & Tested\n                                                                                                                                           Integrated\nSTEP 3: Has the Agency implemented protections for personally\nidentifiable information being transported and/or stored offsite? If so, to\nwhat level?                                                                     Partial                                                    Policy\nAction Item 3.1: In the instance where personally identifiable information is\ntransported to a remote site, have the NIST Special Publication 800-53 security\ncontrols ensuring that information is transported only in encrypted form been\nimplemented?                                                                    Partial\n\n      * Evaluation could include an assessment of tools used to transport PII\nfor use of encryption.\nComments: Policy states that an employee shall not remove PII from GSA facilities (including GSA managed programs housed at contractor facilities under contract), or\naccessed remotely, without written permission from the employee\xe2\x80\x99s supervisor, the data owner, and the IT system authorizing official. This applies to electronic media (e.g.\nlaptops, Blackberries, USB drives), paper, and any other media (e.g., CDs/DVDs) that may contain PII. Policy states that if it is a business requirement to store PII on GSA user\nworkstations or mobile devices including, but not limited to notebook computers, USB drives, CD-ROMs/DVDs, personal digital assistants and Blackberries, PII must be\nencrypted using an approved NIST algorithm, i.e., 3DES or AES. Certified encryption modules must be used to the greatest extent possible in accordance with FIPS PUB 140-2.\nRecommended methods of file encryption are also provided. Policy requires PII e-mailed within the GSA network or transmitted over the Internet to be encrypted. While policy\naddresses the requirements for transportation of PII data, controls for encryption of transportation of GSA PII are not enforced to ensure compliance with established policy.\n\nAction Item 3.2: In the instance where PII is being stored at a remote site, have\nthe NIST SP 800-53 security controls ensuring that information is stored only\nin encrypted form been implemented?                                               Partial\n\n       * Evaluation could include a review of remote site facilities and\noperations.\n\n\n\n\n                                                                                            A-6\n\x0cComments: Policy states that an employee shall not remove PII from GSA facilities (including GSA managed programs housed at contractor facilities under contract), or\naccessed remotely, without written permission from the employee\xe2\x80\x99s supervisor, the data owner, and the IT system authorizing official. This applies to electronic media (e.g.\nlaptops, Blackberries, USB drives), paper, and any other media (e.g., CDs/DVDs) that may contain PII. Policy states that if it is a business requirement to store PII on GSA user\nworkstations or mobile devices including, but not limited to notebook computers, USB drives, CD-ROMs/DVDs, personal digital assistants and Blackberries, PII must be\nencrypted using an approved NIST algorithm, i.e., 3DES or AES. Certified encryption modules must be used to the greatest extent possible in accordance with FIPS PUB 140-2.\nRecommended methods of file encryption are also provided. Policy requires PII e-mailed within the GSA network or transmitted over the Internet to be encrypted. While policy\naddresses the requirements for storage of PII data, controls for encryption of remote storage of GSA PII are not enforced to ensure compliance with established policy.\nOVERALL STEP 3 COMMENTS: While policy addresses the requirements for transportation and remote storage of PII data, controls for encryption of transportation of GSA\nPII are not enforced to ensure compliance with established policy.\n\n\n   If personally identifiable information is to be transported and/or stored\n                                    offsite\n\n           follow Action Item 4.3, otherwise follow Action Item 4.4\n\n\n                                                                                                                                                         OPTIONAL\n                                                                                             REQUIRED RESPONSE                                           RESPONSE\n                                                                                                                                            Controls Not Yet in Place\n                                                                                                         Yes                                Policy\n                                                                                                        No                                  Procedures\n                               Procedure                                                               Partial                              Implemented\n                                                                                                   Not Applicable                           Monitor & Tested\n                                                                                                                                            Integrated\n                                                                         Partial\nSTEP 4: Has the Agency implemented protections for remote access\nto personally identifiable information? If so, to what level?                                                                               Policy\n\nAction Item 4.1: Have NIST Special Publication 800-53 security controls\nrequiring authenticated, virtual private network (VPN) connection been\nimplemented by the Agency?                                              Yes\n       * Evaluation could include a review of the configuration of VPN\napplication(s).\nComments: GSA has implemented a VPN solution for remote access utilizing user name and password for authentication.\n\n\n\n\n                                                                                       A-7\n\x0cAction Item 4.2: Have the NIST Special Publication 800-53 security\ncontrols enforcing allowed downloading of personally identifiable\ninformation been enforced by the Agency?                                 No\n         * Evaluation could include a review of controls for\ndownloading PII.\nComments: Policy was recently updated to require that creation of computer-readable data extracts that include PII shall be maintained in an official log including creator, date,\ntype of information, and user. However, this control has not been implemented and is not enforced. GSA has not yet established a plan to verify each extract including sensitive\ndata has been erased within 90 days or its use is still required. Officials stated that they are unaware of any immediate viable solution to implement this control across GSA\xe2\x80\x99s PII\nsystems.\n    If remote storage of personally identifiable information is to be\n                            permitted follow\n           Action Item 4.3, otherwise follow Action Item 4.4.\n\n\nAction Item 4.3: Have the NIST Special Publication 800-53 security\ncontrols enforcing encrypted remote storage of personally identifiable\ninformation been implemented by the Agency?                              No\n\n\nComments: Policy requires that (1) PII shall not be stored on or accessed from personally owned computers or personally owned mobile devices; (2) PII shall only be accessed\nfrom government furnished equipment (GFE) or contractor maintained computers configured in accordance with GSA IT security policy and technical security standards; and (3)\nif it is a business requirement to store PII on GSA user workstations or mobile devices including, but not limited to notebook computers, USB drives, CD-ROMs/DVDs, personal\ndigital assistants and Blackberries, PII must be encrypted using an approved NIST algorithm, i.e., 3DES or AES. Without automated enforcement of this policy, verification and\nenforcement of this control is not possible.\nAction Item 4.4: Has the Agency enforced NIST Special Publication\n800-53 security controls enforcing no remote storage of personally\nidentifiable information?                                                 No\n\nComments: GSA has no mechanism in place that can monitor or control the storage and encryption of PII data when remote storage is permitted.\nOVERALL STEP 4 COMMENTS: GSA has implemented a VPN solution for remote access utilizing user name and password for authentication. While policy addresses the\nrequirements for transportation and remote storage of PII data, controls for encryption of transportation of GSA PII are not enforced to ensure compliance with established policy.\nGSA has not implemented controls enforcing allowed downloading of PII or enforcing and encryption of remote storage of PII. GSA has also not implemented controls enforcing\nno remote storage of PII when not permitted.\n(The source for all the control steps above is NIST SP 800-53 and SP 800-53A assessment procedures.)\n\n\n\n\n                                                                                        A-8\n\x0cSection Two\n\n\n                                   Additional Agency Actions Required by OMB M-06-16\n\n\n                                                                                                                                                           Yes\n                                                                                                                                                           No\n                                                           Procedure                                                                                     Partial\n                                                                                                                                                     Not Applicable\n\n\n1. Has the Agency encrypted all data on mobile computers/devices which carry agency data unless the data is determined to be\nnon-sensitive, in writing by Agency Deputy Secretary or an individual he/she may designate in writing?                       Partial\nComments: Policy regarding encryption of data on mobile computers/devices has been limited to only address PII. Policy states that PII shall not be stored on or accessed from\npersonally owned computers or personally owned mobile devices, and PII shall only be accessed from government furnished equipment or contractor maintained computers\nconfigured in accordance with GSA IT security policy and technical security standards. Policy also states that PII shall be stored on network drives and/or in application\ndatabases with proper access controls (i.e., user ID/password) and shall be made available only to those individuals with a valid need to know. Policy states that if it is a business\nrequirement to store PII on GSA user workstations or mobile devices including, but not limited to notebook computers, USB drives, CD-ROMs/DVDs, personal digital assistants\nand Blackberries, PII must be encrypted using an approved NIST algorithm, i.e., 3DES or AES. Certified encryption modules must be used to the greatest extent possible in\naccordance with FIPS PUB 140-2, Security Requirements for Cryptographic Modules. Recommended methods of encryption are also provided. This policy was just implemented.\nWithout automated enforcement of this policy, it is up to the individual user to comply. The Agency is beginning a pilot of full disk encryption and plans to begin phased\nimplementation of encrypting all data on laptops in the first quarter of FY07 with complete implementation by the first quarter of FY08. Once full disk encryption is implemented,\nusers will be forced to comply with established policy.\n2. Does the Agency use remote access with two-factor authentication where one of the factors is provided by a device separate\nfrom the computer gaining access?                                                                                             No\nComments: GSA has not implemented two-factor authentication, where one of the factors is provided by a device separate from the computer gaining access. Rather than\ninvesting significant resources to develop and implement a solution for two-factor authentication that will not be in compliance with Homeland Security Presidential Directive\n(HSPD)-12, GSA plans to address this requirement with its HSPD-12 solution next year.\n3. Does the Agency use a \xe2\x80\x9ctime-out\xe2\x80\x9d function for remote access and mobile devices requiring user re-authentication after 30\nminutes inactivity?                                                                                                               Partial\nComments: Policy requires that all remote access connections and mobile devices shall automatically lock-out within 30 minutes of inactivity. However, a test of this control found\nthat this control was not implemented consistently. We tested four of GSA\'s 18 PII systems and found that users were only timed out with two of the systems.\n\n\n\n\n                                                                                         A-9\n\x0c4. Does the Agency log all computer-readable data extracts from databases holding sensitive information and verifies each\nextract including sensitive data has been erased within 90 days or its use is still required?                                     No\nComments: Policy was recently updated to require that creation of computer-readable data extracts that include PII shall be maintained in an official log including creator, date,\ntype of information, and user. However, this control has not been implemented and is not enforced. GSA has not yet established a plan to verify each extract including sensitive\ndata has been erased within 90 days or its use is still required. Officials stated that they are unaware of any immediate viable solution to implement this control across GSA\xe2\x80\x99s PII\nsystems.\n\n\n\n\n                                                                                       A-10\n\x0cSection Three\n\nTo assist the PCIE/ECIE in evaluating the results provided by individual IGs\nand in creating the government-wide response, please provide the following\ninformation:\nType of work completed (i.e., assessment, evaluation, review, inspection, or\n                                                                                                                                                         Assessment\naudit).\n\n                                                                              During this assessment, we used the President\xe2\x80\x99s Council on Integrity and Efficiency\n                                                                              (PCIE)/Executive Council on Integrity and Efficiency (ECIE) review guide and data collection\n                                                                              instrument to direct our work. We interviewed appropriate staff from GSA\xe2\x80\x99s Offices of the Chief\n                                                                              People Officer (CPO) and Chief Information Officer (CIO) with key responsibilities for ensuring\n                                                                              the protection of Agency sensitive information. We gathered information related to actions GSA\n                                                                              has taken to protect personally identifiable information (PII) prior to and in response to the Office\n                                                                              of Management and Budget (OMB) Memorandum M-06-16 and considered recently developed\n                                                                              Agency policy regarding the protection of sensitive information. We considered the Agency\xe2\x80\x99s\n                                                                              mandatory on-line training, information disseminated through the privacy program website, and\nScope and methodology of work completed based on the PCIE/ECIE review the Agency report on the activities taken to meet the requirements of M-06-16. We also reviewed\nguide Step 2 page 4. (Please address the coverage of your assessment, and     a GSA report responding to OMB Memorandum M-06-20 and Section 522 of the Transportation,\ninclude any comments you deem pertinent to placing your results in the proper Treasury, Independent Agencies, and General Government Appropriations Act, 2005. We tested\ncontext.)                                                                     select controls for a sample of PII systems to determine whether the 30-minute timeout\n                                                                              requirement had been implemented. We reviewed select security and privacy documentation\n                                                                              developed for seven PII systems. We also followed up on previously issued audit work by\n                                                                              reviewing the list of Systems of Records for accuracy and completeness and developing a timeline\n                                                                              documenting major steps and milestones directed at implementing controls for sensitive\n                                                                              information.\n\n                                                                                 We met with the Chief Privacy Officer and the Chief Information Officer on September 21, 2006,\n                                                                                 who generally concurred with the results of our assessment and responses to the PCIE/ECIE data\n                                                                                 collection instrument.\n\n\n\n\n                                                                                      A-11\n\x0c                                                     Assessment Methodologies Used to complete the DCI Sections\n\n                                                                                                    Mark All That Apply\n\n\n                                                                                      Section One\n                                                                                                                                      Section Two\n                                                    Step                                                                  Step Step\n                                                     1                               Step 2                                3    4\n\nInterviews (G/F/C)                                   C                                  C                                  C    C         C\n\nExaminations (G/F/C)                                 F                                  F                                  F    F         F\n\nTests (independently verified - Y/N)                 N                                  N                                  N    N         Y\n\n\n\n\nAssessment Method Descriptions consistent with NIST SP 800-53A - Appendix D pages 34 - 36.\nG = Generalized. F = Focused. C = Comprehensive.\nY = Yes. N = No.\n\n\n\n\n                                                                                A-12\n\x0c                                                   GSA has recently defined personally identifiable information (PII) for Agency systems and taken steps toward\n                                                   improving the protection of PII. The Agency\xe2\x80\x99s Chief Privacy Officer (CPO) and Chief Information Officer (CIO)\n                                                   have recently issued a joint instruction letter establishing policy regarding requirements for safeguarding PII. Basic\n                                                   privacy training has also provided the majority of Associates and contractors. System Owners for 18 systems that\n                                                   store or process PII have reported on compliance with the security checklist included with OMB Memorandum M-06-\n                                                   16 to the CIO. Systems within GSA containing PII have been designated with moderate level risk. However, all of\n                                                   the requirements of Office of Management and Budget (OMB) Memorandum M-06-16 have not been satisfied.\n\n                                                   The privacy guidance issued by the CPO and CIO covers two of the four recommendations in OMB Memorandum M-\n                                                   06-16. Specifically, since officials are unaware of any immediate viable solution to implement controls to verify each\n                                                   extraction of sensitive data has been erased within 90 days or its use is still required, GSA could not implement this\n                                                   recommendation. Additionally, rather than investing significant resources to implement a two-factor authentication\n                                                   solution that would be replaced by a Homeland Security Presidential Directive (HSPD)-12 compliant solution planned\n                                                   for implementation early next year, GSA decided not to meet the recommendation for implementing two-factor\n                                                   authentication for remote access at this time but with its HSPD-12 solution. Within GSA, the joint policy establishes\n                                                   requirements for encrypting PII on removable media and GSA workstations, but without automated enforcement of\n                                                   this policy, verification of this control is not yet possible. The Agency also plans to begin phased implementation of\n                                                   full disk encryption for GSA workstations and laptops next year. The recent policy also requires all remote access\nOverall Summary Statement. (Please refer to page   connections and mobile devices to be automatically locked out within 30 minutes of inactivity; however, tests of PII\nfive of the review guide for sample language for   systems found that only two of the four systems had implemented this control.\nsummary statements.)\n                                                   In assessing the Agency\xe2\x80\x99s implementation of the security checklist, we found that GSA has implemented controls for\n                                                   confirming the identification of PII protection needs. GSA has also partially implemented controls for verifying the\n                                                   adequacy of organizational policy and protecting the transportation and remote storage of and remote access to PII.\n                                                   However, these controls are being provided primarily at the policy and/or procedures level and have not been fully\n                                                   implemented with GSA\xe2\x80\x99s PII systems. Agency-wide responsibility for ensuring that these controls have been\n                                                   implemented per privacy policy has not yet been established, and GSA has not yet implemented the following\n                                                   controls: (1) controls enforcing no remote storage/transportation of and no remote access to PII, when not permitted;\n                                                   (2) controls enforcing that remote transportation/storage of and remote access to PII be encrypted; (3) controls\n                                                   enforcing allowed downloading of PII.\n\n                                                   Our assessment indicates that the Agency needs to improve policies and procedures for the protection of sensitive\n                                                   information in the following areas: (1) establish and communicate accountability and responsibility for specific\n                                                   privacy controls, including the implementation of technologies used to collect, use, store, and disclose information in\n                                                   identifiable form to allow for continuous auditing of compliance with established privacy policies, (2) improve\n                                                   privacy training to address OMB Memorandum M-06-16 requirements regarding the protection of remote access,\n                                                   storage, and transportation of PII; (3) obtain input from all Service and Staff Offices to ensure the Agency\xe2\x80\x99s definition\n                                                   of PII is comprehensive and that Associates and contractors fully recognize what information is considered PII, and\n                                                   (4) improve reporting for security weaknesses for PII systems and within the GSA privacy program.\n\n\n\n\n                                                                            A-13\n\x0c                IMPROVEMENTS TO THE GSA PRIVACY ACT\n                 PROGRAM ARE NEEDED TO ENSURE THAT\n                PERSONALLY IDENTIFIABLE INFORMATION\n                    (PII) IS ADEQUATELY PROTECTED\n                   REPORT NUMBER A060228/O/T/F08007\n\n       Appendix B \xe2\x80\x93 Timeline of GSA Activities Related to Privacy Controls\n\n   Date                                        Event\nDecember 2002      E-Government Act of 2002 signed.\n                   CPO issues GSA guidance on ensuring security and privacy of personal\nMay 2003\n                   information.\nOctober 2003       GSA Privacy Act Program Order issued.\nMay 2004           GSA CPO Issues Guidelines on Conducting PIAs.\n                   Public Law 108-447 \xe2\x80\x93 Transportation, Treasury, Independent Agencies,\nDecember 2004      and General Government Appropriations Act of 2005 identifies Agency\n                   and IG requirements for Privacy Reviews.\n                   CPO Memo issued on GSA Privacy Act regulations and Systems Of\nJune 2005\n                   Records (SOR) notices.\nAugust 2005        Submitted Privacy portion of the FY05 FISMA report to OCIO.\n\nDecember 2005      GSA PIAs posted on gsa.gov.\n                   CPO Memo reminds employees of their responsibilities for\nMay 2006\n                   safeguarding personally identifiable information.\n                   OMB M-06-15 on Safeguarding Personally Identifiable Information\n                   issued.\nJune 2006          Privacy Training 101 Available on GSA Online University.\n                   OMB M-06-16 on Protection of Sensitive Agency Information requires\n                   specific privacy controls.\n                   OMB M-06-19 on Reporting Incidents Involving Personally\nJuly 2006          Identifiable Information and Incorporating the Cost for Security in\n                   Agency Information Technology Investments issued.\n                   OMB M-06-20 FY06 Reporting Instructions for FISMA and Agency\n                   Privacy Management issued.\n\n\n\n\n                                       B-1\n\x0c   Date                                       Event\n                 CIO issued IL-06-02, Safeguarding Personally Identifiable Information\nAugust 2006      (PII), regarding safeguarding PII in GSA IT systems and any associated\n                 record of that information.\n                 GSA Privacy Act Program website launched on gsa.gov.\n                 GSA Privacy Act Benchmark report in response to Public Law 108-\n                 447, Section 522.\n                 Agency submitted FY 06 FISMA report, which included questions\nOctober 2006\n                 related to privacy, to OMB.\n                 OMB M-07-16 on Safeguarding Against and Responding to the Breach\nMay 2007\n                 of Personally Identifiable Information issued.\n                 GSA IT Security Policy revised to include Privacy requirements. This\nJune 2007        policy canceled CIO Instructional Letter 06-02, Safeguarding\n                 Personally Identifiable Information (PII).\n                 Agency submitted to OMB the FY 07 FISMA report, including a\nSeptember 2007\n                 response to specific questions related to privacy.\n\n\n\n\n                                     B-2\n\x0c                      IMPROVEMENTS TO THE GSA PRIVACY ACT\n                       PROGRAM ARE NEEDED TO ENSURE THAT\n                      PERSONALLY IDENTIFIABLE INFORMATION\n                          (PII) IS ADEQUATELY PROTECTED\n                         REPORT NUMBER A060228/O/T/F08007\n\n                         Appendix C \xe2\x80\x93Vulnerability Scanning Results\n\nDue to the sensitive nature of information contained in this appendix, only reports provided to\nsystem security officials and the GSA Senior Agency Information Security Officer contain\ndetailed vulnerability scanning results for the three Privacy Act Systems of Records tested during\nthis review. Requests for the details of technical vulnerability scanning results should be\nreferred to Jennifer Klimes, Audit Manager, or Gwendolyn McGowan, Deputy Assistant\nInspector General for IT Audits.\n\n\n\n\n                                               C-1\n\x0c       IMPROVEMENTS TO THE GSA PRIVACY ACT\n        PROGRAM ARE NEEDED TO ENSURE THAT\n       PERSONALLY IDENTIFIABLE INFORMATION\n           (PII) IS ADEQUATELY PROTECTED\n          REPORT NUMBER A060228/O/T/F08007\n\nAppendix D \xe2\x80\x93 CHCO/CIO Consolidated Response to Draft Report\n\n\n\n\n                           D-1\n\x0cD-2\n\x0cD-3\n\x0c                      IMPROVEMENTS TO THE GSA PRIVACY ACT\n                       PROGRAM ARE NEEDED TO ENSURE THAT\n                      PERSONALLY IDENTIFIABLE INFORMATION\n                          (PII) IS ADEQUATELY PROTECTED\n                         REPORT NUMBER A060228/O/T/F08007\n\n                         APPENDIX E \xe2\x80\x93 REPORT DISTRIBUTION\n\n\n                                                                                  Copies\n\nWith Appendix C\n\nOffice of the Chief Human Capital Officer (C)                                      3\n\nOffice of the Chief Information Officer (I)                                        3\n\n       Office of the Senior Agency Information Security Officer (IS)               1\n\nOffice of Acquisition Policy (MV)                                                  1\n\nAuthorizing Official for STAR                                                      1\n\nAuthorizing Official for FBO                                                       1\n\nAuthorizing Official for CWGT                                                      1\n\nInformation Systems Security Manager for STAR                                      1\n\nInformation Systems Security Manager for FBO                                       1\n\nInformation Systems Security Manager for CWGT                                      1\n\nInformation Systems Security Officer for STAR                                      1\n\nInformation Systems Security Officer for FBO                                       1\n\nInformation Systems Security Officer for CWGT                                      1\n\nWithout Appendix C\n\nCounsel to the Inspector General (JC)                                              1\n\nAssistant Inspector General for Auditing (JA and JAO)                              2\n\nDeputy Assistant Inspector General for Finance and Administrative Audits (JA-F)    1\n\n\n\n                                                E-1\n\x0cAssistant Inspector General for Investigations (JI)   1\n\nInternal Control and Audit Division (BEI)             1\n\nAdministration and Data System Staff (JAS)            1\n\n\n\n\n                                               E-2\n\x0c'